#!/usr/bin/python
# Copyright (c) 2017, Daniel Korn <korndaniel1@gmail.com>
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later

from __future__ import annotations


DOCUMENTATION = r"""
module: manageiq_user

short_description: Management of users in ManageIQ
extends_documentation_fragment:
  - community.general.manageiq
  - community.general.attributes

author: Daniel Korn (@dkorn)
description:
  - The manageiq_user module supports adding, updating and deleting users in ManageIQ.
attributes:
  check_mode:
    support: none
  diff_mode:
    support: none

options:
  state:
    type: str
    description:
      - V(absent) - user should not exist,
      - V(present) - user should be.
    choices: ['absent', 'present']
    default: 'present'
  userid:
    type: str
    description:
      - The unique userid in manageiq, often mentioned as username.
    required: true
  name:
    type: str
    description:
      - The users' full name.
  password:
    type: str
    description:
      - The users' password.
  group:
    type: str
    description:
      - The name of the group to which the user belongs.
  email:
    type: str
    description:
      - The users' E-mail address.
  update_password:
    type: str
    default: always
    choices: ['always', 'on_create']
    description:
      - V(always) updates passwords unconditionally.
      - V(on_create) only sets the password for a newly created user.
"""

EXAMPLES = r"""
- name: Create a new user in ManageIQ
  community.general.manageiq_user:
    userid: 'jdoe'
    name: 'Jane Doe'
    password: 'VerySecret'
    group: 'EvmGroup-user'
    email: 'jdoe@example.com'
    manageiq_connection:
      url: 'http://127.0.0.1:3000'
      username: 'admin'
      password: 'smartvm'
      validate_certs: false # only do this when you trust the network!

- name: Create a new user in ManageIQ using a token
  community.general.manageiq_user:
    userid: 'jdoe'
    name: 'Jane Doe'
    password: 'VerySecret'
    group: 'EvmGroup-user'
    email: 'jdoe@example.com'
    manageiq_connection:
      url: 'http://127.0.0.1:3000'
      token: 'sometoken'
      validate_certs: false # only do this when you trust the network!

- name: Delete a user in ManageIQ
  community.general.manageiq_user:
    state: 'absent'
    userid: 'jdoe'
    manageiq_connection:
      url: 'http://127.0.0.1:3000'
      username: 'admin'
      password: 'smartvm'
      validate_certs: false # only do this when you trust the network!

- name: Delete a user in ManageIQ using a token
  community.general.manageiq_user:
    state: 'absent'
    userid: 'jdoe'
    manageiq_connection:
      url: 'http://127.0.0.1:3000'
      token: 'sometoken'
      validate_certs: false # only do this when you trust the network!

- name: Update email of user in ManageIQ
  community.general.manageiq_user:
    userid: 'jdoe'
    email: 'jaustine@example.com'
    manageiq_connection:
      url: 'http://127.0.0.1:3000'
      username: 'admin'
      password: 'smartvm'
      validate_certs: false # only do this when you trust the network!

- name: Update email of user in ManageIQ using a token
  community.general.manageiq_user:
    userid: 'jdoe'
    email: 'jaustine@example.com'
    manageiq_connection:
      url: 'http://127.0.0.1:3000'
      token: 'sometoken'
      validate_certs: false # only do this when you trust the network!
"""

RETURN = r"""
"""

from ansible.module_utils.basic import AnsibleModule
from ansible_collections.community.general.plugins.module_utils.manageiq import ManageIQ, manageiq_argument_spec


class ManageIQUser:
    """
    Object to execute user management operations in manageiq.
    """

    def __init__(self, manageiq):
        self.manageiq = manageiq

        self.module = self.manageiq.module
        self.api_url = self.manageiq.api_url
        self.client = self.manageiq.client

    def group_id(self, description):
        """Search for group id by group description.

        Returns:
            the group id, or send a module Fail signal if group not found.
        """
        group = self.manageiq.find_collection_resource_by("groups", description=description)
        if not group:  # group doesn't exist
            self.module.fail_json(msg=f"group {description} does not exist in manageiq")

        return group["id"]

    def user(self, userid):
        """Search for user object by userid.

        Returns:
            the user, or None if user not found.
        """
        return self.manageiq.find_collection_resource_by("users", userid=userid)

    def compare_user(self, user, name, group_id, password, email):
        """Compare user fields with new field values.

        Returns:
            false if user fields have some difference from new fields, true o/w.
        """
        found_difference = (
            (name and user["name"] != name)
            or (password is not None)
            or (email and user["email"] != email)
            or (group_id and user["current_group_id"] != group_id)
        )

        return not found_difference

    def delete_user(self, user):
        """Deletes a user from manageiq.

        Returns:
            a short message describing the operation executed.
        """
        try:
            url = f"{self.api_url}/users/{user['id']}"
            result = self.client.post(url, action="delete")
        except Exception as e:
            self.module.fail_json(msg=f"failed to delete user {user['userid']}: {e}")

        return dict(changed=True, msg=result["message"])

    def edit_user(self, user, name, group, password, email):
        """Edit a user from manageiq.

        Returns:
            a short message describing the operation executed.
        """
        group_id = None
        url = f"{self.api_url}/users/{user['id']}"

        resource = dict(userid=user["userid"])
        if group is not None:
            group_id = self.group_id(group)
            resource["group"] = dict(id=group_id)
        if name is not None:
            resource["name"] = name
        if email is not None:
            resource["email"] = email

        # if there is a password param, but 'update_password' is 'on_create'
        # then discard the password (since we're editing an existing user)
        if self.module.params["update_password"] == "on_create":
            password = None
        if password is not None:
            resource["password"] = password

        # check if we need to update ( compare_user is true is no difference found )
        if self.compare_user(user, name, group_id, password, email):
            return dict(changed=False, msg=f"user {user['userid']} is not changed.")

        # try to update user
        try:
            result = self.client.post(url, action="edit", resource=resource)
        except Exception as e:
            self.module.fail_json(msg=f"failed to update user {user['userid']}: {e}")

        return dict(changed=True, msg=f"successfully updated the user {user['userid']}: {result}")

    def create_user(self, userid, name, group, password, email):
        """Creates the user in manageiq.

        Returns:
            the created user id, name, created_on timestamp,
            updated_on timestamp, userid and current_group_id.
        """
        # check for required arguments
        for key, value in dict(name=name, group=group, password=password).items():
            if value in (None, ""):
                self.module.fail_json(msg=f"missing required argument: {key}")

        group_id = self.group_id(group)
        url = f"{self.api_url}/users"

        resource = {"userid": userid, "name": name, "password": password, "group": {"id": group_id}}
        if email is not None:
            resource["email"] = email

        # try to create a new user
        try:
            result = self.client.post(url, action="create", resource=resource)
        except Exception as e:
            self.module.fail_json(msg=f"failed to create user {userid}: {e}")

        return dict(changed=True, msg=f"successfully created the user {userid}: {result['results']}")


def main():
    argument_spec = dict(
        userid=dict(required=True, type="str"),
        name=dict(),
        password=dict(no_log=True),
        group=dict(),
        email=dict(),
        state=dict(choices=["absent", "present"], default="present"),
        update_password=dict(choices=["always", "on_create"], default="always"),
    )
    # add the manageiq connection arguments to the arguments
    argument_spec.update(manageiq_argument_spec())

    module = AnsibleModule(
        argument_spec=argument_spec,
    )

    userid = module.params["userid"]
    name = module.params["name"]
    password = module.params["password"]
    group = module.params["group"]
    email = module.params["email"]
    state = module.params["state"]

    manageiq = ManageIQ(module)
    manageiq_user = ManageIQUser(manageiq)

    user = manageiq_user.user(userid)

    # user should not exist
    if state == "absent":
        # if we have a user, delete it
        if user:
            res_args = manageiq_user.delete_user(user)
        # if we do not have a user, nothing to do
        else:
            res_args = dict(changed=False, msg=f"user {userid}: does not exist in manageiq")

    # user should exist
    if state == "present":
        # if we have a user, edit it
        if user:
            res_args = manageiq_user.edit_user(user, name, group, password, email)
        # if we do not have a user, create it
        else:
            res_args = manageiq_user.create_user(userid, name, group, password, email)

    module.exit_json(**res_args)


if __name__ == "__main__":
    main()
